cancel
Showing results for 
Search instead for 
Did you mean: 

Rogue System Detection

Jump to solution

Hello,

I´ve a Questions in how to configure RSD properly.

We are working with several domains and subnets and are planning to use RSD for every Domain. The problem here is indicated in how the RSD is working related to the process of identifying an unautorised System.
As far as I understand there are only Systems autorised which belongs to one Domain within a Subnet but all other Systems in this subnet unknown to the ePO-ServerDB of this specific domain are going to be tagged as unautorised. Wether or not those Systems belongs to an other Domain within our Company and is known on an other ePO-Server (in an other Domain).

Question A
Is there a Problem in having several Sensors placed in one Subnet while each Sensorsystem belongs to an other Domain and will report to an other ePO-Server?

Question B
Is there a possible Solution for an automated process like (Pseudocode): If Domain 1 = false but Domain 2 = true then recognize System X = autorised and send E-Mail to xyz


In the following I will ask the same thing in german. I guess my english is not as good as it needs to be for explaining my thoughts.

regards


Hallo,

ich habe eine Frage zum Thema RSD.

Wir haben mehrere Domänen mit mehreren Subnetzen. Geplant ist die Ausbringung des RSD für jede Domäne, problematisch dabei gestaltet sich jedoch die Konfiguration hinsichtlich der entdeckten Systeme innerhalb der verschiedenen Subnetze.

Es ist zwar nicht die Regel aber hinsichtlich der Domänen gibt es durchaus IP-Überschneidungen was die Subnetze angeht. So gehört ein System der Domäne B an, hat aber eine IP-Adresse, die primär in Domäne A genutzt wird. Bedingt durch die Funktionsweise des ePO-Servers, jeweils einer für jede Domäne, erhalten wir durch den AD-Sync natürlich Meldungen von unautorisierten Systemen innerhalb einer Domäne da der ePO-Server die Computerkonten gegen die jeweilige Domäne abgleicht.


Gäbe es bekannte Probleme wenn man innerhalb eines Subnetzes mehrere Systeme mit Sensoren ausbringt, die zum einen jeweils zu einer anderen Domäne gehören und zum anderen entsprechend auch einen anderen ePO-Server adressieren?

Gibt es nun eine Möglichkeit den RSD so zu konfigurieren, dass dieser die Systeme innerhalb eines Subnetzes auch auf Domänenzugehörigkeit überprüft und eine entsprechende wie zum Beispiel (Pseudocode)  "Wenn Domäne A = falsch aber Domäne B = wahr dann autorisiertes System = wahr und sende Benachrichtigung an xyz" realisierbar ist?

Grüße

Nachricht geändert durch Don_Martin on 22.09.11 05:27:43 CDT
1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Rogue System Detection

Jump to solution

Hi...  I'm not completely sure I understand the question, but let me try and answer anyway    I think what you are describing is systems controlled by two separate ePO servers on the same subnet - is this correct? If so:

Question A

Is there a Problem in having several Sensors placed in one Subnet while each Sensorsystem belongs to an other Domain and will report to an other ePO-Server?

No, there's no problem here: the sensors will  not interfere with each other.


Question B
Is there a possible Solution for an automated process like (Pseudocode): If Domain 1 = false but Domain 2 = true then recognize System X = autorised and send E-Mail to xyz

Yes, this is possible. Imagine you have two ePO servers, A and B. You can register the ePO servers with each other, and RSD can make use of both databases, so when a sensor belonging to server A detects a machine that belongs to server B, it can correctly identify this as "not a rogue".

Does that make sense? Or have I misunderstood?

Regards -

Joe

6 Replies

Re: Rogue System Detection

Jump to solution

Hi,

You can put sensors where you like, but don't go mad with it. 3 or 4 per network woud be enough for redundancy.

The thing to remember is that the sensors do not actually *care* about Windows domains at all, they are just listening for network traffic to identify anything on the subnets it can see that might be a rogue machine.

When it finds something interesting, it sends the data back to ePO and ePO decides if it is authorised (ie it has an agent installed) or not.

Hth.

Re: Rogue System Detection

Jump to solution

Hello,

just to be sure: I have no option except Blacklisting Systems in case there are several Systems within ONE Subnet but belongs to different Domains to prevent messages for unautorised Systems?! What a mess...

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Rogue System Detection

Jump to solution

Hi...  I'm not completely sure I understand the question, but let me try and answer anyway    I think what you are describing is systems controlled by two separate ePO servers on the same subnet - is this correct? If so:

Question A

Is there a Problem in having several Sensors placed in one Subnet while each Sensorsystem belongs to an other Domain and will report to an other ePO-Server?

No, there's no problem here: the sensors will  not interfere with each other.


Question B
Is there a possible Solution for an automated process like (Pseudocode): If Domain 1 = false but Domain 2 = true then recognize System X = autorised and send E-Mail to xyz

Yes, this is possible. Imagine you have two ePO servers, A and B. You can register the ePO servers with each other, and RSD can make use of both databases, so when a sensor belonging to server A detects a machine that belongs to server B, it can correctly identify this as "not a rogue".

Does that make sense? Or have I misunderstood?

Regards -

Joe

Re: Rogue System Detection

Jump to solution

Hello,

this make sense and no, you haven´t misunderstood my questions nor the situation   but I suppose my english seriously needs to be refreshed...

I really appreciate your answer

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Rogue System Detection

Jump to solution

Believe me, your English is waaaaaaay better than my German

Glad to help -

Regards,

Joe

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: Rogue System Detection

Jump to solution

To add to what Joe said, there is an option under Server Settings-> Detected Systems Compliance-> ePO Servers

Systems detected with an Agent that belongs to these ePO Servers should not be considered Rogue. Here you can key in the name of the other ePO server whose clients you would want not be flagged as Rogue.